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, Abstract 

We investigate how a classical private key can be used by two players, connected by an 
' insecure one-way quantum channel, to perform private communication of quantum information. 

. In particular we show that in order to transmit n qubits privately, 2n bits of shared private key 

are necessary and sufficient. This result may be viewed as the quantum analogue of the classical 
one-time pad encryption scheme. From the point of view of the eavesdropper, this encryption 
process can be seen as a randomization of the original state. We thus also obtain strict bounds 
on the amount of entropy necessary for randomizing n qubits. 
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Secure transmission of classical information is a well studied topic. Suppose Alice wants to send an 
n-bit message M to Bob over an insecure (i.e. spied-on) channel, in such a way that the eavesdropper 
Eve cannot obtain any information about M from tapping the channel. If Alice and Bob share some 
Ch ' secret n-bit key K, then here is a simple way for them to achieve their goal: Alice exclusive-ors 

^ ■ M with K and sends the result M' = M (B K over the channel, Bob then xors M' again with K 

qh| and obtains the original message M' Q) K = M. Eve may see the encoded message M' , but if she 

does not know K then this will give her no information about the real message M, since for any M 
there is a key K' giving rise to the same encoding M' . This scheme is known as the Vernam cipher 
or one-time pad ("one-time" because K can be used only once if we want information-theoretic 
I security). It shows that n bits of shared secret key are sufficient to securely transmit n bits of 

information. Shannon [3ha45, |Sha4£ ] has shown that this scheme is optimal: n bits of shared key 



are also necessary in order to transmit an n-bit message in an information-theoretically secure way. 

Now let us consider the analogous situation in the quantum world. Alice and Bob are connected 
by a one-way quantum channel, to which an eavesdropper Eve has complete access. Alice wants to 
transmit to Bob some n-qubit state p taken from some set S, without allowing Eve to obtain any 
information about p. Alice and Bob could easily achieve such security if they share n EPR-pairs (or 
if they were able to establish EPR-pairs over a secure quantum channel), for then they can apply 
teleportation BBC'*"93| and transmit every qubit via 2 random classical bits, which will give Eve 



no information whatsoever. But now suppose Alice and Bob do not share EPR-pairs, but instead 
they only have the resource of shared randomness, which is weaker but easier to maintain. 
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A first question is: is it at all possible to send quantum information fully securely using only 
a finite amount of randomness? At first sight this may seem hard: Alice and Bob have to "hide" 
the amplitudes of a quantum state, which are infinitely precise complex numbers. Nevertheless, 
the question has a positive answer. More precisely, to privately send n qubits, a 2n-bit classical 
key is sufficient. The encryption technique is fairly natural. Alice applies to the state p she wants 
to transmit a reversible quantum operation specified by the shared key K (basically, she applies 
a random Pauli matrix to each qubit), and she sends the result p' to Bob. In the most general 
setting this reversible operation can be represented as doing a unitary operation on the state p 
augmented with a known fixed ancilla state pa- Knowing the key K that Alice used, Bob knows 
which operation Alice applied and he can reverse this, remove the ancilla, and retrieve p. In order 
for this scheme to be information-theoretically secure against the eavesdropper, we have to require 
that Eve always "sees" the same density matrix po on the channel, no matter what p was. Because 
Eve does not know this condition can indeed be satisfied. Accordingly, an insecure quantum 
channel can be made secure (private) by means of shared classical randomness. 

A second question is, then, how much key Alice and Bob need to share in order to be able to 
privately transmit any n-qubit state. A good way to measure key size is by the amount of entropy 
required to create it. As one might imagine, showing that 2n bits of key are also necessary is the 
most challenging part of the article. We prove this in Section ^.0 Accordingly, in analogy with the 
classical one-time pad, we have an optimal quantum one-time pad which uses 2n classical bits to 
completely "hide" n qubits from Eve. In particular, hiding a qubit is only twice as hard as hiding 
a classical bit, despite the fact that in the qubit we now have to hide amplitudes coming from a 
continuous set. 

Now imagine an alternative scenario. Alice has a state p from some specific set and she wants 
to randomize it completely. How much entropy does she need for this? That is, what is the 
thermodynamical cost of forgetting quantum information? A natural and general way to do that 
is for Alice to perform a unitary transformation to p augmented with an ancilla and then to forget 
which one. The thermodynamical price of this operation is now the entropy of the probability 
distribution over the set of unitary transformations. The parallel between these two scenarios should 
be clear. If one has a private quantum channel, one automatically has a related randomization 
procedure. Consequently, we obtain the result that 2n bits are necessary and sufficient to randomize 
an n-qubit quantum register. For the case n = 1, this result has also been obtained by Braunstein, 



Lo, and Spiller iBLS99| , |Lo99|] 



The article is organized as follows. Section |2| introduces some notation and some properties 
of Von Neumann entropy. In Section ^ we give a formal definition of a private quantum channel 
(PQC). In Section ^ we give some examples of PQCs. In particular we show that there is a PQC 
that privately sends any n-qubit state using 2n bits of randomness (shared key). We also exhibit 
a non-trivial set of n-qubit states (namely the tensor products of qubits with real amplitudes) for 
which there is PQC requiring only n bits of randomness. The latter result includes the classical 
one-time pad. In Section || we show that 2n bits of randomness are necessary if we want to be able 
to send any n-qubit state privately. Finally, in Section ^ we restate the previous results in terms 
of the thermodynamical cost of randomization of quantum information. 

Remark about related work. A number of recent papers independently discussed issues 
similar to our work. We already mentioned the result of Braunstein, Lo, and Spiller [ BLS99| , Lo99|| 



for state randomization. Very recently, Boykin and Roychowdhury [BROC] exhibited the 2n-bit 



^Note that if Alice and Bob share an insecure two-way channel, then they can do quantum key exchange |BB84] 



in order to establish a shared random key, so in this case no prior shared key (or only a very small one) is required. 
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Pauli-matrix one-time pad and proved a 2n-bit lower bound for the case where the encryption 
scheme does not ahow the use of an ancilla state (they also give a general characterization of all 
possible encryption schemes without ancilla). In Section ^ we give a simpler proof of this lower 
bound for the no-ancilla case and give a different and more complicated proof for the lower bound 
in the case where we do allow an ancilla. 



2 Preliminaries 

2.1 States and operators 

We use 11^11 for the Euclidean norm of vector v. If A is a matrix, then we use for its conjugate 
transpose and Tr(yl) for its trace (the sum of its diagonal entries). A square matrix A is Hermitian 
if A = A"^ , and unitary if A~^ = A^. Important examples of unitary transformations are the 4 Pauli 
matrices: 

10\ /01\ f -i\ f 1 



= > 1 ; ' ^1 = V 1 y ' ^ V ^ y ' v o -i 

Let |0) , . . . , \M — 1) denote the basis states of some M-dimensional Hilbert space Ti.M- We use 
7^2" for the Hilbert space whose basis states are the 2"" classical n-bit strings. A pure quantum 
state is a norm-1 vector in TCm- We treat \(p) as an M-dimensional column vector and use 
(^1 for the row vector that is its conjugate transpose. The inner product between pure states \(j)) 
and is {4>\4^)- A mixed quantum state or density matrix p is a non-negative Hermitian matrix 
that has trace Tr(p) = 1. The density matrix corresponding to a pure state {(p) is |(/>) {4>\. Because 
a density matrix p is Hermitian, it has a diagonalization p = ^j^iPi |</>j) where the pi are 
its eigenvalues, pi > 0, J^i^'i = 1) the form an orthonormal set. Thus p can be viewed 
as describing a probability distribution over pure states. We use Im = j^^M = Z^i^i K) (^1 to 
denote the totally mixed state, which represents the uniform distribution on all basis states. If two 
systems are in pure states and \ip), respectively, then their joint state is the tensor product pure 
state \ip) = \ip). If two systems are in mixed states pi and p2, respectively, then their joint 
state is the tensor product pi (gi p2- Note that ® \ip)){{4>\ is the same as {(f)\ \ip) {ip\. 

Applying a unitary transformation J7 to a pure state gives pure state U {(p), applying U to 
a mixed state p gives mixed state UpU^. We will use £ = {^/piUi | 1 < « < iV} to denote the 
superoperator which applies Ui with probability pi to its argument (we assume YliPi — Thus 
£{p) = YliPi^iP^i ■ Quantum mechanics allows for more general superoperators, but this type 
suffices for our purposes. If two superoperators £ = {^/plUi \ 1 < i < N} and £' = {-y/p^C/j' | 
1 < z < A^'} are identical {£{p) = £'{p) for all /?), then they are unitarily related in the following 
way |Nie98, Section 3.2] (where we assume N > N' and if N > N' we pad £' with zero operators 



to make £ and £' of equal size): there exists a unitary N x N matrix A such that for all i 



N 



/PiUi = y^^Ajjjp'-u'j. 



2.2 Von Neumann entropy 

Let density matrix p have the diagonalization X^^^Pi \ (pi) {<pi\- The Von Neumann entropy of p is 
S{p) = H{pi, . . . ,pn) = — YliLiPi^^SPij where H is the classical entropy function. This S{p) can 
be interpreted as the minimal Shannon entropy of the measurement outcome, minimized over all 
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possible complete measurements. Note that S{p) only depends on the eigenvalues of p. The follow- 
ing properties of Von Neumann entropy will be useful later (for proofs see for instance | Weh78| ]). 



1. S{\(j)) = 0, for every pure state 

2. Sipi0p2) = Sipi) + S{p2). 

3. S{UpU^) = S{p). 

4. S{Xipi + X2P2 H h XnPn) > Ai5(pi) + X2S{p2) H h XnS{pn) if Aj > and Yli Aj = 1- 

5. If p = YliLiPi \4>i) with the not necessarily orthogonal, then S{p) < H{pi, . . . ,pn)- 

3 Private Quantum Channel 

Let us sketch the scenario for a private quantum channel. There are possible keys, which we 
identify for convenience with the numbers 1, . . . ,N. The ith key has probability pi, so the key has 
entropy H{pi, . . . ,pn) when viewed as a random variable. Each key i corresponds to a unitary 
transformation C/j. Suppose Alice wants to send a pure state \(p) from some set S to Bob. She 
appends some fixed ancilla qubits in state pa to and then applies Ui to Pa, where 

i is her key. She sends the resulting state to Bob. Bob, who shares the key i with Alice, applies 
to obtain \(f)) {(f)\ pa, removes the ancilla pa, and is left with Alice's message \(f>) (^|. Now in 
order for this to be secure against an eavesdropper Eve, we have to require that if Eve does not 
know i, then the density matrix po that she gets from monitoring the channel is independent of |(/)). 
This implies that she gets no information at all about Of course. Eve's measuring the channel 
might destroy the encoded message, but this is like classically jamming the channel and cannot be 
avoided. The point is that if Eve measures, then she receives no information about \(p). It is not 
hard to see that this is the most general quantum mechanical scenario which allows Bob to recover 
the message perfectly and at the same time gives Eve zero information. 
We formalize this scenario as follows. 

Definition 3.1 Let S C 7^2" be a set of pure n-qubit states, £ = {y/piUi | 1 < i < N} be a 
superoperator where each Ui is a unitary mapping on 7i2-^, X^i^iP* ~ be an (m — n)-qubit 

density matrix, and po be an m-qubit density matrix. Then [S, £, Pa, Po] "is called a Private Quantum 
Channel (PQC) if and only if for all £ S we have 

N 

sm (01 ® Pa) = Y.p^'^^ d'^) ('^i ® P-) = PO- 

i=l 

If n = m (i.e. no ancilla), then we omit pa- 

Note that by linearity, if the PQC works for all pure states in 5, then it also works for density 
matrices over S: applying the PQC to a mixture of states from S gives the same po as when 
we apply it to a pure state. Accordingly, if [5,{y^[/j | 1 < i < A^},/Oa,po] is a PQC, then 
H{pi, . . . ,pn) bits of shared randomness are sufficient for Alice to send any mixture p of 5-states 
to Bob in a secure way. Alice encodes p m a reversible way depending on her key i and Bob can 
decode because he knows the same i and hence can reverse Alice's operation On the other 
hand. Eve has no information about the key i apart from the distribution pi, so from her point of 
view the channel is in state pEve = Po- This is independent of the p that Alice wants to send, and 
hence gives Eve no information about p. 
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4 Examples of Private Quantum Channels 



In this section we exhibit some private quantum channels. The first uses 2n bits key to send privately 
any n-qubit state. The idea is simply to apply a random Pauli matrix to each bit individually. This 

takes 2 random bits per qubit and it is well known that the resulting qubit is in the completely 
mixed state. For notational convenience we identity the numbers {0, . . . , 2^" — 1} with the set 
{0, 1, 2, 3}". For X G {0, 1, 2, 3}" we use Xi G {0, 1, 2, 3} for its ith entry, and we use to denote 
the n-qubit unitary transformation (8) • • • <8) (Tx„ ■ 

Theorem 4.1 If £ = | x G {0,1,2,3}"}, then [n2^ , £ , 12"] is a PQC. 

Proof It is easily verified that applying each with probability 1/4 to a qubit puts that qubit in 
the totally mixed state I2 (no matter if it is entangled with other qubits). Operator £ just applies 
this treatment to each of the n qubits, hence £(\4>) {(p\) = I2" for every G 7^2"- ^ 

Since the above £ contains 2^" operations and they have uniform probability, it follows that 2n 
bits of private key suffice to privately send any state from 7^2" • 

The next theorem shows that there is some nontrivial subspace of 7^2" where n bits of private 
key suffice, namely the set of all tensor products of real-amplitude qubits. 

Theorem 4.2 If B = {cos{e) |0) + sin(6») |1) | < 6» < 27r}, S = S®", and £ = {-;^Ox \ x G 
{0,2}"}, then [5,f,/2n] is a PQC. 

Proof This is easily verified: applying o"o and (T2, each with probability 1/2, puts any qubit from 
B in the totally mixed state. Operator £ does this to each of the n qubits individually. □ 



Note that if we restrict B to classical bits (i.e. 9 G {0, 7r/2}) then the above PQC reduces to the 
classical one-time pad: flipping each bit with probability 1/2 gives information-theoretical security. 

In the previous PQCs, po was the completely mixed state /2". This is no accident, and holds 
whenever n = m and 12^ is one of the states that the PQC can send: 

Theorem 4.3 // [S,£,po] is a PQC without ancilla and /2" can be written as a mixture of S- 
states, then po = /2" • 

Proof If 72" can be written as a mixture of S-states, then 

N N N 

PO = £{12") = Y.PiU,i2"Ul = ^UiU} = ^h" =12". □ 

i=l i=l i=l 

In general po need not be /2". For instance, let S = {|0) , ;^(|0) + 11))}, £ = {^/plI2, ^ } 

(- -\ 

with pi = P2 = 1/2) E^nd Po = I 1 1 ) • Then it is easily verified that \S, £, po] is a PQC. 

\4 4/ 

5 Lower Bound on the Entropy of PQCs 

In the previous section we showed that 2n bits of entropy suffice for a PQC that can send arbi- 
trary n-qubit states. In this section we will show that 2n bits are also necessary for this. Very 
recently and independently of our work, this 2n-bit lower bound was also proven by Boykin and 
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Roychowdhury [ BROC ] for the special case where the PQC is not allowed to use any ancilla qubits. 
We will first give a shorter version of their proof, basically by observing that a large part of it can 
be replaced by a reference to the unitary equivalence of identical superoperators stated at the end 
of Section 



Theorem 5.1 // [712^, {^iUi | 1 < i < iV},/2"] is a PQC, then H{pi, . . . ,pn) > 2n. 



Proof Let £ = {^/piUi}, £' = {-mK^^x | x G {0, 1,2,3}"'} be the superoperator of Theorem |0 



and let K = max(22", N). Since £{p) = £'{p) = for all n-qubit states p, we have that £ and £' 



are unitarily related in the way mentioned in Section 2A: there exists a unitary K x K matrix A 
such that for all 1 < i < we have 



/PiUi 



E 



A^ 



2:e{0,l,2,3}" 



We can view the set of all 2" x 2"' matrices as a 22'^-dimensional vector space, with inner product 



{M,M') = Tr(MtM')/2" and induced matrix norm ||M|| = ^/{M, M) (as done in pRO0[| ). Note 
that ||M|| = 1 if M is unitary. The set of all Ox forms an orthonormal basis for this vector space, 
so we get: 



Pi = \\^/PiUi\\ -■ 
Hence N > 2^" and H{pi, ... ,pN)>2n 



< 



22n- 



□ 



However, even granted this result it is still conceivable that a PQC might require less random- 
ness if it can "spread out" its encoding over many ancilla qubits — it is even conceivable that those 
ancilla qubits can be used to establish privately shared randomness using some variant of quantum 



key distribution. The general case with ancilla is not addressed in [ BROC ], and proving that the 
2n-bit lower bound extends to this case requires more work. The next few theorems will do this. 
These show that a PQC that can transmit any n-qubit state requires 2n bits of randomness, no 
matter how many ancilla qubits it uses. Thus Theorem |4.1| exhibits an optimal quantum one-time 
pad, analogous to the optimal classical one-time pad mentioned in the introduction. 

We will use the notation = {\i) \ 0<i<k — 1} for the set of the first k classical states. 
The next theorem states that a PQC that privately conveys n qubits using m bits of key, can be 
transformed into a PQC that privately conveys any state from C22n, still using only m bits of key. 

Theorem 5.2 // there exists a PQC [7i2^^,£ = {y/plUi | 1 < i < N^, pa, po], then there exists a 

PQC [C22n,£' = {^Ui \l<i< iV},Pa,/2n ®po]. 

Proof For ease of notation we assume without loss of generality that £ uses no ancilla, so we 
assume po is an n-qubit state and omit pa (this does not affect the proof in any way). We first 
show that £{\x) (y|) = whenever x,y £ C22U and x ^ y {£{\x) is well-defined but somewhat 
of an abuse of notation, since the matrix \x) {y\ is not a density matrix). This is implied by the 
following 3 equalities: 

p, = £ Q(|x) (x| + \y) (y|)) = \ {£{\x) (x|) + £{\y) {y\)) . 

p, = £ ((^(k) + |y)))(^((^l + m) = \ m^) {A) + ^{\v) (y|) + ^(k) (y|) + ^{\v) (^D) • 
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p, = £(^{l={\x)+i\ym^{{x\-^{y\)) 



1 



i£i\x) (x|) + £i\y) {y\) - i£{\x) {y\) + ^£i\y) (x|)) . 



The first and second equality imply £{\x) {y\) + £{\y) {x\) = 0, the first and third equality imply 
£{\x) (2/1) - £{\y) {x\) = 0. Hence £{\x) {y\) = £{\y) {x\) = 0. 

We now define £' and show that it is a PQC. Intuitively, £' will map every state from C22n 
to a tensor product of n Bell states by mapping pairs of bits to one of the four Bell states]^ The 
second bits of the pairs are then moved to the second half of the state and randomized by applying 
£ to them. Because of the entanglement between the two halves of each Bell state, the resulting 
2n-qubit density matrix will be I2" tX" po- More specifically, define 



2"-l 



U\x) 



(cr,. lo 



/on / — ^ 



1=0 



with ax = • • • crx„ as in Theorem 4.1. Also define Ul = (I2" (8) Ui)U . It remains to show 
that £'{\x) (x|) = /2" /?o for all |a;) G C22n: 



£'{\x) 



N 



2"-l 



2"-l 



i/=0 



z=0 



TV 



:^X]^''(^2" I Yl \y) {^\ \y) {z\ \ ih^ Ui)^ 

y,z€{0,2"~l} 



i=l 



{ax 0/2")^ 



h,zG{0,2"-1} \i=l / 



{(Tx /2" 



i/,ze{o,2"-i} 

2"-l 



i E \y) iy\^^£i\y) iy\) 



{(Tx 0/2")^ 



= {ox (8) /2") h" (8 poj iX /2")^ 

= /2" (8 /30- 

In the step marked by (*) we used that £{\y) {z\) = if y 7^ z. 



□ 



Before proving a lower bound on the entropy required for sending arbitrary n-qubit states, we 
first prove a lower bound on the entropy required for sending states from C2™. Privately sending 
any state from C2™ corresponds to privately sending any classical m-bit string. If communication 
takes place through classical channels, then Shannon's theorem implies that m bits of shared 
key are required to achieve such security. Shannon's classical lower bound does not translate 
automatically to the quantum world (it is in fact violated if a two-way quantum channel is available, 
see Footnote 0). Nevertheless, if Alice and Bob communicate via a one-way quantum channel, then 
Shannon's theorem does generalize to the quantum world: 

^The 4 Bells states are -^i\00) ± |11>) and ^(|01) ± |10)). 
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Theorem 5.3 // , {^^iUi \1 <i < N}, pa, po] is a PQC, then H{pi, . . . ,pn) > m. 

Proof Diagonalize the ancUla as pa = Sj=i Qj iV'i) (^jl) so S{pa) = H{qi, . . . ,qr). First note that 
the properties of Von Neumann entropy (Section ^) imply: 

(N \ / N r 

Y.p^Ui{\o) {o\^pa)uj \=sl j2J2mjum (oi ® iV',) mwj 
i=i J \i=i j=i 

< H{piqi,piq2, . . . ,pNqr-i,PNqr) = H{pi, . . . ,pn) + H{qi, . . . ,qr). 

Secondly, note that 

/ N \ N N 

S{po) = S i '^PiUi{i2m (g) Pa)Uj I > '^PiS {l2"^ Pa^ = '^Pii'm + S{pa)) = Ul + S{pa). 
\i=l J 1=1 1=1 

Combining these two inequalities gives the theorem. □ 
In particular, for sending arbitrary states from 622^ we need entropy at least 2n. Combining 



Theorems 5.2 and 5.3 we thus obtain 



Corollary 5.4 // ['H2" , {^^PiUi | 1 < i < N},pa,po] is a PQC, then H{pi,... ,pn) > 2n (and 
hence in particular N > 2^" J. 



In relation to Theorem 4.2, note that C2" ^ i?*^". Hence another corollary of Theorem is 



the optimality of the PQC of Theorem 4.2 



Corollary 5.5 // [fi®",{^C/i | 1 < i < N},pa,po] is a PQC, then H{pi,... ,pn) > n (and 
hence in particular N > TP"). 

6 Randomization of Quantum States 

The above concepts and results were motivated by cryptographic goals, namely to enable private 
transmission of quantum information using a shared classical key. However, our results can also be 
stated in terms of the problem of "forgetting" or "randomizing" quantum information, as discussed 
recently by Braunstein, Lo, and Spiller |BLS99|. 



The randomization of a quantum source 5 is a procedure that maps any state p coming from 
S to some fixed constant state /?o (for instance the completely mixed state). The process thus 
"forgets" what was specific to p. To help in this process, we allow the randomizing process to make 
use of a piece of the environment which is in some fixed state pa (ancilla qubits). We also give it 
access to some source of classical randomness. Because every quantum operation can be viewed 
as a unitary transformation on a larger space, we can assume without loss of generality that the 
randomization process has the following form: it uses the source of randomness to pick some i with 
probability pj, then it applies some unitary transformation C/j to p and the ancillary environment, 
and then it forgets i. The resulting mixed state should be po- At this point it should be clear to the 
reader that if [5,{y^C/j | 1 < i < A^},/Oa)/'o] is a PQC, then it also constitutes a randomization 
procedure, and vice versa. 

We are interested in the amount of entropy that such a randomization procedure needs to gener- 
ate. This is the entropy of forgetting the random classical input i. It quantifies the thermodynamic 
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cost of the process. Braunstein, Lo, and Spiller [|BLS99(| have shown that 2 bits of entropy are 
necessary and sufficient for the randomization of 1 qubit. By translating our PQC-results to the 
randomization-context, we can generahze their result to: 

Corollary 6.1 The generation of 2n hits of entropy is sufficient and necessary in order to ran- 
domize arbitrary n-qubit states. 



Proof Sufficiency follows from Theorem 4.1 and necessity from Corollary p^. □ 



For the more limited set of states S = B®^ we have: 

Corollary 6.2 The generation ofn bits of entropy is sufficient and necessary in order to randomize 
arbitrary tensor products of n real- amplitude qubits. 



Proof Sufficiency follows from Theorem 4.2 and necessity from Corollary p^. □ 



7 Summary 

The main result of this paper is an optimal quantum version of the classical one-time pad. On the 
one hand, if Alice and Bob share 2n bits of key, Alice can send Bob any n-qubit state p, encoded 
in another n-qubit state in a way which conveys no information about p to the eavesdropper. This 
is a simple scheme which works locally (i.e. deals with each qubit separately) and uses no ancillary 
qubits. On the other hand, we showed that even if Alice and Bob are allowed to use any number 
of ancilla qubits, then they still require 2n bits of entropy. In the context of state randomization, 
it follows that 2n bits of entropy are necessary and sufficient for randomization of n-qubit states. 
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